> On May 15, 2016, at 5:00 PM, Viktor Dukhovni <[email protected]> wrote:
>
>> DANE does not explains
>> what to do if TLSA records lookup fails due to MitM.
>
> *This* is where you're wrong, see
> https://tools.ietf.org/html/rfc7672#section-2.1
> The error behaviour for SMTP with DANE *is* specified, and avoids
> downgrade attacks.
By way of example, the folks at isphuset.no host a handful of DNSSEC
domains, but use an outdated version of PowerDNS that is not capable of
correct DNSSEC denial of existence. Therefore, when they report that
TLSA records don't exist for one of those domains, it looks like an MiTM
attack ("bogus" denial-of-existence proof).
http://dnsviz.net/d/_25._tcp.amihotel.no/dnssec/
With DANE enabled, Postfix connections to these domains fail.
$ posttls-finger amihotel.no
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.amihotel.no type=TLSA: Host not
found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.amihotel.no type=TLSA: Host not
found, try again
posttls-finger: Failed to establish session to amihotel.no via amihotel.no:
TLSA lookup error for amihotel.no:25
I reported the problem to them on 4/Aug/2015, they're "working on it".
I expect there's a chance it'll be fixed by 4/Aug/2016.
Similarly, the nameservers of patriotguard.org are misguidedly configured to
drop TLSA queries as a security^Wignorance feature in a firewall to
protect^Wbreak the nameservers. This too resembles an MiTM attack:
http://dnsviz.net/d/_25._tcp.svcs.patriotguard.org/dnssec/
$ dig -t tlsa _25._tcp.svcs.patriotguard.org ...
;; connection timed out; no servers could be reached
$ dig -t a _25._tcp.svcs.patriotguard.org ...
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1607
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1
;_25._tcp.svcs.patriotguard.org. IN A
patriotguard.org. SOA ns1.patriotguard.org. root.patriotguard.org.
2016033101 1200 120 2419200 60
... signatures, NSEC3 RRs, ...
And again Postfix avoids the downgrade attack:
$ posttls-finger patriotguard.org
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.svcs.patriotguard.org type=TLSA:
Host not found, try again
posttls-finger: warning: DANE TLSA lookup problem: Host or domain name not
found. Name service error for name=_25._tcp.svcs.patriotguard.org type=TLSA:
Host not found, try again
posttls-finger: Failed to establish session to patriotguard.org via
svcs.patriotguard.org: TLSA lookup error for svcs.patriotguard.org:25
Out of ~530,000 DNSSEC domains surveyed, I have a list of ~200 that fail due
to defective DNS support that is indistinguishable from a downgrade attack.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
